Nominum: 24 Million Home Routers Exposing ISPs to DDoS Attacks

Even Internet service providers that go to great lengths to protect their networks are vulnerable.

Tens of millions of home routers are exposing Internet service provider networks to DNS-based distributed denial-of-service (DDoS) attacks, according to new research from DNS software and security provider Nominum.

According to estimates from the company, more than 24 million home routers on the Internet have open DNS proxies that expose ISPs to DNS-based DDoS attacks. In February alone, more than 5.3 million of these routers were used to generate attack traffic, while in January, more than 70 percent of total DNS traffic on one provider's network was associated with DNS amplification.

In a DNS amplification attack, publically accessible open DNS servers are used to flood a system with DNS response traffic.

"The attacks are difficult to combat because there are still many places in the world where it is possible for attackers to spoof IP addresses," says Bruce van Nice, director of product marketing at Nominum. "Even providers who go to great lengths to protect their networks can be exposed, because not everyone is as diligent as they are. DNS is also a critical and universally used protocol, so network-based filters can be very unworkable due to the complexity they introduce.

(Image: Cyber Inz)

"The last problem," he tells us, "is home routers are purchased and managed by consumers. Providers may have no control over them, so it is very difficult to change their configuration to remove problems such as this. The best way to address the problem is to make DNS servers smarter -- equip them with fine-grained capabilities to manage malicious traffic while ensuring legitimate traffic is always permitted."

DNS has emerged as one of the most popular protocols for launching amplification attacks, but it is not the only one. NTP amplification attacks are common as well. According to a report from Incapsula, now part of Imperva, the number of NTP amplification attacks jumped significantly during January and February. Still, DNS amplification represented nearly 35 percent of the large-scale events (+20 Gbit/s) covered in 2013 and early 2014.

"DNS attacks are nothing new; it’s one of the most common high-volume approaches, and it’s not surprising that they’re still growing in frequency," says Shawn Marck, chief security officer at Black Lotus. "We’re seeing a rise in DrDoS [distributed reflection denial-of-service] attacks, a strategy that frequently targets DNS daemons, and far too many people don’t recognize the need to protect DNS servers on top of their web servers or other networks.

"DNS servers have a very poor configuration, making them easy targets for spoofed sources resulting in large amplification attacks. ISPs that are dealing with these DNS amplification attacks need to consider the fact that the DNS servers are just a small part of their overall network. To ensure they’re properly protected, they need to invest in security measures that cover their networks as a whole, not just web or DNS servers. This is the only means to keep your data safe against traditional DDoS as well as the DNS and NTP amplification attacks, which we can all agree aren’t going anywhere anytime soon."

Home and small-business routers are a huge vulnerability, according to Tod Beardsley, engineering manager at Rapid7.

"We have published dozens of Metasploit modules that exercise dozens of vulnerabilities that range from traditional buffer overflows to default misconfigurations to vendor-installed back doors, and yet still, today, there is no normal, easy way to get updates for these things," says Beardsley. "Because of this total lack of patching, vulnerabilities of home access points are extremely long lived. Your computers and phones all have some kind of scheduled update service that's at least possible, but the router -- the thing that you're most reliant on for secure and performant web-surfing -- is totally lacking in this regard. It's very frustrating."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Hello all. Thanks for the comments. As far as the routers, the DNS data Nominum looked at doesn't tell them anything about a particular brand of routers. Here is a good resource for information on DNS amplification from US-CERT: https://www.us-cert.gov/ncas/alerts/TA13-088A

Is the article saying that home routers are vulnerable because they are not secured? What is the vulnerability to mitigate? Open networks at businesses or schools for that matter would need to be secured. Good luck with that. So I have answered my own question I believe. The author has it right....because these networks will never be secured at the entry level, the DNS must be protected. Good luck with that also when we give over ICANN.

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.